Debian Gitlab vulnerabilities

CVE-2024-7296 [LOW] CVE-2024-7296: gitlab - An issue was discovered in GitLab EE affecting all versions from 16.5 prior to 1... An issue was discovered in GitLab EE affecting all versions from 16.5 prior to 17.7.7, 17.8 prior to 17.8.5, and 17.9 prior to 17.9.2 which allowed a user with a custom permission to approve pending membership requests beyond the maximum number of allowed users. Scope: local sid: resolved

CVE-2024-5528 [LOW] CVE-2024-5528: gitlab - An issue was discovered in GitLab CE/EE affecting all versions prior to 16.11.6,... An issue was discovered in GitLab CE/EE affecting all versions prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2, which allows a subdomain takeover in GitLab Pages. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-12244 [MEDIUM] CVE-2024-12244: gitlab - An issue has been discovered in access controls could allow users to view certai... An issue has been discovered in access controls could allow users to view certain restricted project information even when related features are disabled in GitLab EE, affecting all versions from 17.7 prior to 17.9.7, 17.10 prior to 17.10.5, and 17.11 prior to 17.11.1. Scope: local sid: resolved

CVE-2024-3127 [MEDIUM] CVE-2024-3127: gitlab - An issue has been discovered in GitLab EE affecting all versions starting from 1... An issue has been discovered in GitLab EE affecting all versions starting from 12.5 before 17.1.6, all versions starting from 17.2 before 17.2.4, all versions starting from 17.3 before 17.3.1. Under certain conditions it may be possible to bypass the IP restriction for groups through GraphQL allowing unauthorised users to perform some actions at the group level. Scop

CVE-2024-4660 [MEDIUM] CVE-2024-4660: gitlab - An issue has been discovered in GitLab EE affecting all versions starting from 1... An issue has been discovered in GitLab EE affecting all versions starting from 11.2 before 17.1.7, all versions starting from 17.2 before 17.2.5, all versions starting from 17.3 before 17.3.2. It was possible for a guest to read the source code of a private project by using group templates. Scope: local sid: resolved

CVE-2024-0861 [MEDIUM] CVE-2024-0861: gitlab - An issue has been discovered in GitLab EE affecting all versions starting from 1... An issue has been discovered in GitLab EE affecting all versions starting from 16.4 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. Users with the `Guest` role can change `Custom dashboard projects` settings contrary to permissions. Scope: local sid: resolved

CVE-2024-8974 [LOW] CVE-2024-8974: gitlab - Information disclosure in Gitlab EE/CE affecting all versions from 15.6 prior to... Information disclosure in Gitlab EE/CE affecting all versions from 15.6 prior to 17.2.8, 17.3 prior to 17.3.4, and 17.4 prior to 17.4.1 in specific conditions it was possible to disclose to an unauthorised user the path of a private project." Scope: local sid: resolved (fixed in 17.3.5-3)

CVE-2024-3115 [MEDIUM] CVE-2024-3115: gitlab - An issue was discovered in GitLab EE affecting all versions starting from 16.0 p... An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows an attacker to access issues and epics without having an SSO session using Duo Chat. Scope: local sid: resolved

CVE-2024-2880 [LOW] CVE-2024-2880: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 16.... An issue was discovered in GitLab CE/EE affecting all versions starting from 16.5 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2 in which a user with `admin_group_member` custom role permission could ban group members. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-8402 [LOW] CVE-2024-8402: gitlab - An issue was discovered in GitLab EE affecting all versions starting from 17.2 b... An issue was discovered in GitLab EE affecting all versions starting from 17.2 before 17.7.7, all versions starting from 17.8 before 17.8.5, all versions starting from 17.9 before 17.9.2. An input validation issue in the Google Cloud IAM integration feature could have enabled a Maintainer to introduce malicious code. Scope: local sid: resolved

CVE-2024-9773 [LOW] CVE-2024-9773: gitlab - An issue was discovered in GitLab EE affecting all versions starting from 14.9 b... An issue was discovered in GitLab EE affecting all versions starting from 14.9 before 17.8.6, all versions starting from 17.9 before 17.8.3, all versions starting from 17.10 before 17.10.1. An input validation issue in the Harbor registry integration could have allowed a maintainer to add malicious code to the CLI commands shown in the UI. Scope: local sid: resolved

CVE-2024-10925 [MEDIUM] CVE-2024-10925: gitlab - A vulnerability in GitLab-EE affecting all versions from 16.2 prior to 17.7.6, 1... A vulnerability in GitLab-EE affecting all versions from 16.2 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1 allows a Guest user to read Security policy YAML Scope: local sid: resolved

CVE-2024-7110 [MEDIUM] CVE-2024-7110: gitlab - An issue was discovered in GitLab EE affecting all versions starting 17.0 to 17.... An issue was discovered in GitLab EE affecting all versions starting 17.0 to 17.1.6, 17.2 prior to 17.2.4, and 17.3 prior to 17.3.1 allows an attacker to execute arbitrary command in a victim's pipeline through prompt injection. Scope: local sid: resolved

CVE-2024-12303 [MEDIUM] CVE-2024-12303: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions from 17.7 be... An issue has been discovered in GitLab CE/EE affecting all versions from 17.7 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that under certain conditions could have allowed authenticated users with specific roles and permissions to delete issues including confidential ones by inviting users with a specific role. Scope: local sid: resolved

CVE-2024-8977 [HIGH] CVE-2024-8977: gitlab - An issue has been discovered in GitLab EE affecting all versions starting from 1... An issue has been discovered in GitLab EE affecting all versions starting from 15.10 prior to 17.2.9, from 17.3 prior to 17.3.5, and from 17.4 prior to 17.4.2. Instances with Product Analytics Dashboard configured and enabled could be vulnerable to SSRF attacks. Scope: local sid: resolved

CVE-2024-6685 [LOW] CVE-2024-6685: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 16.... An issue was discovered in GitLab CE/EE affecting all versions starting from 16.7 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2, where group runners information was disclosed to unauthorised group members. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-10240 [MEDIUM] CVE-2024-10240: gitlab - An issue has been discovered in GitLab EE affecting all versions starting from 1... An issue has been discovered in GitLab EE affecting all versions starting from 17.3 before 17.3.7, all versions starting from 17.4 before 17.4.4, all versions starting from 17.5 before 17.5.2 in which an unauthenticated user may be able to read some information about an MR in a private project, under certain circumstances. Scope: local sid: resolved

CVE-2024-0231 [LOW] CVE-2024-0231: gitlab - A resource misdirection vulnerability in GitLab CE/EE versions 12.0 prior to 17.... A resource misdirection vulnerability in GitLab CE/EE versions 12.0 prior to 17.0.5, 17.1 prior to 17.1.3, and 17.2 prior to 17.2.1 allows an attacker to craft a repository import in such a way as to misdirect commits. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-11129 [MEDIUM] CVE-2024-11129: gitlab - An issue has been discovered in GitLab EE affecting all versions from 17.1 befor... An issue has been discovered in GitLab EE affecting all versions from 17.1 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. This allows attackers to perform targeted searches with sensitive keywords to get the count of issues containing the searched term." Scope: local sid: resolved

CVE-2024-4597 [MEDIUM] CVE-2024-4597: gitlab - An issue has been discovered in GitLab EE affecting all versions from 16.7 befor... An issue has been discovered in GitLab EE affecting all versions from 16.7 before 16.9.7, all versions starting from 16.10 before 16.10.5, all versions starting from 16.11 before 16.11.2. An attacker could force a user with an active SAML session to approve an MR via CSRF. Scope: local sid: resolved